AWS Security groups are a perfect way to manage security, they provide a powerful firewall. However there are some basics rules you need to follow. By not implementing strict security controls, the security of an entire application may be compromised.

1) Create a default AWS security group for your new instances

When you create a new instance through salt, it requires that you specify a default security group. In order to avoid any security breach, create a default group that only allows ssh

2) Create a group for your different types of application

Groups of application are usually using the same ports. For example, if you are running multiple web servers, they will most likely use the ports 80/443. Create a security group named “web servers” and apply it to all your instances of this type.

3) Create a base AWS security group

Since you can apply multiple security groups to an instance, why not having different level of security group. Create a base security group containing all your basics rules you need (ssh or rpc, etc), and then apply a different security group depending on your application

4) Create generic groups for back-end and front-end

Usually back-end services aren’t accessible from outside compared to front-end services. Make sure to create a base group for those 2.

5) Don’t neglect outbound rules

Usually, people tend to allow everything in outbound. However, you aren’t protected from a malicious services. You need to list the external services you need to access and forbid every other ports. In most of the cases, you will just need: ssh, http(s), ftp, ntp, dns and vpn.

6) For an exception, create a new group

Sometimes, we need to create some exceptions for specific services. However, instead of updating an existing group and affecting every members of this group (and loose in security), you should create a dedicated group for this instance’s exceptions and apply to the instance in addition of the others security groups.


In conclusion, AWS security groups are a powerful tool to manage security for your cloud-based applications. By implementing strict security controls, you can ensure that your applications are protected from malicious attacks. Creating default security groups, application-specific groups, base groups, and generic groups for back-end and front-end services can help you organize your security groups and ensure that they are tailored to your specific needs.

In addition, it’s important to not neglect outbound rules, and to only allow access to the external services you need. And in cases where you need to create exceptions for specific instances, it’s best to create a new dedicated group for that instance, rather than updating an existing group and potentially compromising the security of other instances. By following these basic rules, you can help ensure the security of your AWS cloud-based applications.

aws logo - aws security groups - image 1

About TrackIt

TrackIt, an Amazon Web Services Advanced Consulting Partner based in Marina del Rey, CA, offers a range of cloud management, consulting, and software development solutions. Their expertise includes Modern Software Development, DevOps, Infrastructure-As-Code, Serverless, CI/CD, and Containerization, with a focus on Media & Entertainment workflows, High-Performance Computing environments, and data storage.

TrackIt excels in cutting-edge software design, particularly in the areas of containerization, serverless architectures, and pipeline development. The company’s team of experts can help you design and deploy a custom solution tailored to your specific needs.

In addition to cloud management and modern software development services, TrackIt also provides an open-source AWS cost management tool to help users optimize their costs and resources on the platform. With its innovative approach and expertise, TrackIt is the ideal partner for organizations seeking to maximize the potential of their cloud infrastructure.

aws security groups 6 best practices